CLAIMS: 

We claim: 

1 1 . A method of producing a blended synchronization (SYN) cookie for use in a 

2 three-way handshake process comprising the steps of: 

3 identifying within a SYN packet a source network address and desired 

4 communications session parameters; 

5 retrieving an index value into a table of pre-configured sets of communications 

6 session parameters, said index value referencing one of said sets which approximates 
?JJ said desired communications parameters; 

% computing a hash value based upon said source network address, a constant 

seed and current date and time data; and, 

combining said computed hash value with said index value, said combination 
lip forming the blended SYN cookie. 



IP 2. The method of claim 1 , wherein said combining step comprises: 

2 reducing said computed hash value by N most significant binary digits to 

3 accommodate N binary digits required to represent said index value; and, 

4 combining said reduced hash value with said index value, said combination 

5 forming the blended SYN cookie. 
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1 3. A three-way handshake method, the three-way handshake comprising an initial 

2 request, an intermediate response to the initial request, and a final acknowledgment of 

3 the intermediate response, the method comprising the steps of: 

4 extracting synchronization data from the initial request; 

5 storing said synchronization data in a fixed length, wrap-around table; 

6 based upon session parameters contained in said synchronization data, 

7 acquiring an index into a table of pre-configured sets of session parameters; 

8 computing an initial hash value based upon at least part of said synchronization 
data; 

itiP combining said initial hash value and said acquired index and placing said 

1 iy combination into the intermediate response to the initial request; and, 

rn 

1 2£ responsive to receiving the final acknowledgment of the intermediate response, 

I3h extracting acknowledgment data from the final acknowledgment, identifying said initial 

14U hash value in said acknowledgment data, computing a new hash value based upon at 

19Q least part of said acknowledgment data, comparing said new hash value with said initial 

r. 2 H 

;: "sr 

16 hash value, and if said hash values do not match, discarding the final acknowledgment. 

1 4. The three-way handshake method of claim 3, further comprising the step of, if 

2 said hash values match, locating said session parameters in said fixed length, wrap- 

3 around table and establishing a communications session using said located session 

4 parameters. 
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5. The three-way handshake method of claim 4, further comprising the step of, if 
said session parameters cannot be located, identifying said acquired index in said 
acknowledgment data, retrieving a pre-configured set of communication parameters 
based upon said acquired index, and establishing a communications session using said 
located session parameters. 

6. The three-way handshake method of claim 5, wherein said establishing step 

comprises: 

adding a mapping in a network address translation (NAT) process between a 
source end-point of the initial request and a destination end-point specified in said 
synchronization data; 

performing a three-way handshake with said destination end-point, said three- 
way handshake comprising the steps of generating a SYN request containing data 
reconstructed from said initial request, receiving a SYN/ACK response, computing a 
server packet sequence number offset based upon a sequence number specified in 
said SYN/ACK and said combination; modifying said acknowledgment data with said 
offset, and forwarding said acknowledgment data as an ACK to said destination end- 
point, said three-way handshake establishing a communications link between said 
source and destination end-points; and, 

routing data in said NAT between said source and destination end-points. 

7. The three-way handshake method of claim 3, further comprising the steps of: 
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2 observing said session parameters in said synchronization data; and, 

3 tuning said table of pre-configured sets of session parameters based upon said 

4 observed session parameters. 

1 8. A communications handshake system comprising: 

2 a communications process configured to receive and respond to requests to 

3 establish data communications sessions, said requests comprising synchronization 

4 (SYN) packets and acknowledgment (ACK) packets; 

5^ a fixed length, wrap-around table configured to store desired session parameters 

6g extracted from said SYN packets; 

7q a table of pre-configured session parameters which can be used to approximate 

jTjj 

8rtj said desired session parameters; and, 

H 

9=_ a blended SYN cookie generator configured to combine SYN cookies with an 

O 

10JMJ index into said table of pre-configured session parameters, said index referencing a set 

1 1 5fj of pre-configured session parameters which approximate corresponding ones of said 

I2' y desired session parameters; 

13 whereby said communications process both can authenticate said ACK packets 

14 by comparing hash values contained in said SYN cookies with hash values generated 

15 in response to receiving said ACK packets, and also can establish said data 

16 communication sessions using said desired session parameters in said fixed length, 

17 wrap-around table, or said approximated session parameters where said desired 

18 session parameters are not found in said fixed length wrap-around table. 
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1 9. The communications handshake system of claim 8, further comprising a network 

2 address translator configured to perform network address translation between end- 

3 points in said established communications sessions. 

1 10. The communications handshake system of claim 8, wherein said SYN cookie 

2 comprises a hash value computed from a network address, a seed value and a date 

3 and time value. 



1^ 11. A machine readable storage having stored thereon a computer program for 

2p»: performing a three-way handshake method, the three-way handshake comprising an 

afjj initial request, an intermediate response to the initial request, and a final 

I s * 



4= acknowledgment of the intermediate response, the computer program comprising a 

5f=* routine set of instructions for causing the machine to perform the steps of: 

eUl extracting synchronization data from the initial request; 

7ry storing said synchronization data in a fixed length, wrap-around table; 

8 based upon session parameters contained in said synchronization data, 

9 acquiring an index into a table of pre-configured sets of session parameters; 

10 computing an initial hash value based upon at least part of said synchronization 

1 1 data; 

12 combining said initial hash value and said acquired index and placing said 

13 combination into the intermediate response to the initial request; and, 
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responsive to receiving the final acknowledgment of the intermediate response, 
extracting acknowledgment data from the final acknowledgment, identifying said initial 
hash value in said acknowledgment data, computing a new hash value based upon at 
least part of said acknowledgment data, comparing said new hash value with said initial 
hash value, and if said hash values do not match, discarding the final acknowledgment. 

12. The machine readable storage of claim 11, further comprising, if said hash 
values match, locating said session parameters in said fixed length, wrap-around table 
and establishing a communications session using said located session parameters. 

13. The machine readable storage of claim 12, further comprising, if said session 
parameters cannot be located, identifying said acquired index in said acknowledgment 
data, retrieving a pre-configured set of communication parameters based upon said 
acquired index, and establishing a communications session using said located session 
parameters. 

14. The machine readable storage of claim 13, wherein said establishing step 
comprises: 

adding a mapping in a network address translation (NAT) process between a 
source end-point of the initial request and a destination end-point specified in said 
synchronization data; 
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6 performing a three-way handshake with said destination end-point, said three- 

7 way handshake comprising the steps of generating a SYN request containing data 

8 reconstructed from said initial request, receiving a SYN/ACK response, computing a 

9 server packet sequence number offset based upon a sequence number specified in 

10 said SYN/ACK and said combination; modifying said acknowledgment data with said 

11 offset, and forwarding said acknowledgment data as an ACK to said destination end- 

12 point, said three-way handshake establishing a communications link between said 

13 source and destination end-points; and, 

I4jf routing data in said NAT between said source and destination end-points. 

4ssJ 

if 3 * 

i; :rs 
'fJ: ii 

iS 1 5. The machine readable storage of claim 1 1 , further comprising the steps of: 
41 observing said session parameters in said synchronization data; and, 

3q tuning said table of pre-configured sets of session parameters based upon said 

4H observed session parameters. 

m 

1 1 6. A blended SYN cookie article of manufacture, comprising: 

2 an index value into a table of pre-configured sets of communications session 

3 parameters, said index value referencing one of said sets which approximates specified 

4 communications parameters; and, 

5 a hash value combined with said index value, said hash value comprising a hash 

6 of a network address, a constant seed and current date and time data. 
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17. The blended SYN cookie article of manufacture of claim 16, wherein said hash 
value comprises the N most significant binary digits of said hash value, wherein N is 
computed based upon a number of binary digits required to represent said index value. 
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